| *** bdpayne has quit IRC | 00:20 | |
| *** alee_afk has quit IRC | 00:47 | |
| *** joesavak has joined #openstack-barbican | 00:50 | |
| *** jsavak has joined #openstack-barbican | 00:51 | |
| *** joesavak has quit IRC | 00:54 | |
| *** jkf has quit IRC | 01:46 | |
| *** zz_dimtruck is now known as dimtruck | 02:02 | |
| openstackgerrit | Douglas Mendizábal proposed a change to openstack/barbican: Modify Barbican DevStack not to use uWSGI https://review.openstack.org/98490 | 02:13 |
|---|---|---|
| *** bubbva has quit IRC | 02:26 | |
| *** ayoung-afk has quit IRC | 02:52 | |
| *** openstackgerrit has quit IRC | 02:58 | |
| *** ayoung-afk has joined #openstack-barbican | 03:05 | |
| *** jorge_munoz has joined #openstack-barbican | 03:10 | |
| *** jorge_munoz has quit IRC | 03:15 | |
| *** jsavak has quit IRC | 03:26 | |
| *** jorge_munoz has joined #openstack-barbican | 03:30 | |
| *** bubbva has joined #openstack-barbican | 03:32 | |
| *** jorge_munoz has quit IRC | 03:42 | |
| *** jorge_munoz has joined #openstack-barbican | 03:51 | |
| *** kebray has joined #openstack-barbican | 04:09 | |
| *** Kamaris has left #openstack-barbican | 04:11 | |
| *** juantwo has quit IRC | 04:42 | |
| *** kebray has quit IRC | 04:56 | |
| *** kebray has joined #openstack-barbican | 05:07 | |
| *** jorge_munoz has quit IRC | 05:20 | |
| *** jorge_munoz has joined #openstack-barbican | 05:21 | |
| *** dimtruck is now known as zz_dimtruck | 05:39 | |
| *** ayoung-afk has quit IRC | 05:56 | |
| *** jorge_munoz has quit IRC | 05:59 | |
| *** kebray has quit IRC | 07:17 | |
| *** woodster_ has quit IRC | 07:30 | |
| *** juantwo has joined #openstack-barbican | 12:24 | |
| *** ayoung has joined #openstack-barbican | 12:45 | |
| *** akoneru has joined #openstack-barbican | 12:48 | |
| *** vb-awe has joined #openstack-barbican | 13:00 | |
| vb-awe | hi | 13:13 |
| *** rellerreller has joined #openstack-barbican | 13:14 | |
| vb-awe | might i know what is the position of KMIP support for barbican ? | 13:14 |
| rellerreller | vb-awe what is the question? | 13:25 |
| rellerreller | We have implemented a KMIP secret store that can generate and store symmetric keys in a KMIP server | 13:26 |
| rellerreller | There was another patch out there to use HP Atalla ESKM as a crypto plugin, https://review.openstack.org/#/c/116878/ | 13:27 |
| rellerreller | vb-awe we are planning to support asymmetric keys in Kilo | 13:29 |
| rellerreller | vb-awe Does that answer your question? | 13:29 |
| *** joesavak has joined #openstack-barbican | 13:29 | |
| vb-awe | yes | 13:30 |
| vb-awe | thanks | 13:30 |
| vb-awe | also i wanted to know if this uses PyKMIP (the project by JHU-APL) | 13:31 |
| rellerreller | The KMIP secret store uses PyKMIP to talk to a KMIP server. I do not think https://review.openstack.org/#/c/116878/ does. | 13:32 |
| *** usimha has joined #openstack-barbican | 13:32 | |
| rellerreller | vb-awe What is your interest in KMIP? Are there any features that you would like to see or are planning to implement? | 13:34 |
| vb-awe | i wanted to contribute by using it along with a KMIP server as backend | 13:37 |
| *** jsavak has joined #openstack-barbican | 13:44 | |
| *** tdink has joined #openstack-barbican | 13:47 | |
| rellerreller | vb-awe cool. Let me know if you have any questions. I would be happy to work with you. I did the KMIP secret store and PyKMIP. The more KMIP developers we get the better! | 13:47 |
| *** joesavak has quit IRC | 13:48 | |
| *** usimha has quit IRC | 13:50 | |
| *** usimha has joined #openstack-barbican | 13:55 | |
| usimha | rellerreller: Even I'd also like to contribute. Is there any specific part of KMIP which has not been implemented as of now? | 13:56 |
| rellerreller | usimha For PyKMIP we have only implemented create, register, get, and delete, and we only support symmetric keys at the moment. | 13:58 |
| rellerreller | We would like to implement a basic KMIP key store / foundry for symmetric and asymmetric keys | 13:59 |
| rellerreller | There is a lot of work for that. | 13:59 |
| *** tdink has quit IRC | 13:59 | |
| rellerreller | In terms of Barbican our next proposals will be asymmetric key support, and probably key wrapping | 14:00 |
| *** ayoung has quit IRC | 14:03 | |
| usimha | Oh, we would definitely like to contribute towards it. | 14:07 |
| *** vb-awe has quit IRC | 14:13 | |
| *** openstackgerrit has joined #openstack-barbican | 14:16 | |
| *** kebray has joined #openstack-barbican | 14:23 | |
| *** vb-awe has joined #openstack-barbican | 14:38 | |
| *** JeffF has joined #openstack-barbican | 14:41 | |
| *** woodster_ has joined #openstack-barbican | 14:42 | |
| *** zz_dimtruck is now known as dimtruck | 14:43 | |
| *** kgriffs|afk is now known as kgriffs | 14:46 | |
| *** jorge_munoz has joined #openstack-barbican | 14:47 | |
| *** vb-awe has left #openstack-barbican | 14:47 | |
| *** jsavak has quit IRC | 14:59 | |
| *** paul_glass has joined #openstack-barbican | 15:06 | |
| *** tdink has joined #openstack-barbican | 15:17 | |
| *** SheenaG1 has joined #openstack-barbican | 15:25 | |
| *** akoneru has quit IRC | 15:51 | |
| *** SheenaG1 has quit IRC | 15:51 | |
| *** rellerreller has quit IRC | 15:57 | |
| *** rtom has joined #openstack-barbican | 16:12 | |
| *** tdink has quit IRC | 16:14 | |
| *** himhiker has joined #openstack-barbican | 16:18 | |
| *** usimha has quit IRC | 16:18 | |
| *** akoneru has joined #openstack-barbican | 16:20 | |
| *** himhiker has quit IRC | 16:23 | |
| *** jamielennox has quit IRC | 16:25 | |
| *** tdink has joined #openstack-barbican | 16:25 | |
| *** kebray has quit IRC | 16:31 | |
| *** JeffF has left #openstack-barbican | 16:50 | |
| *** JeffF has joined #openstack-barbican | 16:54 | |
| *** jamielennox has joined #openstack-barbican | 17:10 | |
| openstackgerrit | John Vrbanac proposed a change to openstack/barbican: Removing new_name argument from test_wrapper https://review.openstack.org/127598 | 17:13 |
| *** jkf has joined #openstack-barbican | 17:13 | |
| *** jkf has quit IRC | 17:21 | |
| *** ryanpetrello has quit IRC | 17:25 | |
| *** ryanpetrello has joined #openstack-barbican | 17:26 | |
| openstackgerrit | A change was merged to openstack/barbican: Adding parameterized decorators for unit tests https://review.openstack.org/125106 | 17:30 |
| *** rellerreller has joined #openstack-barbican | 17:31 | |
| *** bdpayne has joined #openstack-barbican | 18:15 | |
| *** kebray has joined #openstack-barbican | 18:27 | |
| *** juantwo has quit IRC | 18:30 | |
| *** kgriffs is now known as kgriffs|afk | 18:31 | |
| *** openstackgerrit has quit IRC | 18:48 | |
| *** openstackgerrit has joined #openstack-barbican | 18:55 | |
| *** paul_glass has quit IRC | 19:02 | |
| *** rellerreller has quit IRC | 19:12 | |
| *** mkam has joined #openstack-barbican | 19:13 | |
| *** JeffF has quit IRC | 19:13 | |
| *** mkam has left #openstack-barbican | 19:14 | |
| *** JeffF has joined #openstack-barbican | 19:16 | |
| *** juantwo has joined #openstack-barbican | 19:26 | |
| *** juantwo has quit IRC | 19:27 | |
| *** juantwo has joined #openstack-barbican | 19:27 | |
| *** tdink has quit IRC | 19:50 | |
| *** lisaclark1 has joined #openstack-barbican | 20:04 | |
| *** lisaclark1 has quit IRC | 20:06 | |
| *** tdink has joined #openstack-barbican | 21:07 | |
| *** tdink has quit IRC | 21:17 | |
| openstackgerrit | Arun Kant proposed a change to openstack/barbican-specs: Blueprint for supporting binary secret retrieval in text format https://review.openstack.org/127659 | 21:33 |
| *** kebray has quit IRC | 21:33 | |
| JeffF | chellygel: do you have a few minutes to help me, or point me in the right direction for getting the digicert plugin running in barbican? | 21:34 |
| chellygel | hey JeffF I will try my best! | 21:34 |
| JeffF | here's what I've done. | 21:34 |
| JeffF | I have it running I guess. I see the output for loaded plugins when barbican starts up. I see the 4 plugins loading, dogtag, sym, simple, and digicert | 21:35 |
| JeffF | I see that output | 21:35 |
| JeffF | when I issue a request, just via command line curl right now, the output I see is "Invoking issue_certificate_request" from simple_certificate_plugin manager | 21:36 |
| JeffF | I enabled the plugin in /etc/barbican-api.conf | 21:36 |
| JeffF | so barbican knows about my plugin, but doesn't seem to know to send requests to it. | 21:37 |
| JeffF | I'm sure that I have just missed something in configuration. | 21:37 |
| chellygel | hmm... im not 100% sure, i'm still a nublet -- woodster_ may give better perspective -- but i'd agree with you | 21:37 |
| JeffF | do you have any ideas of what I may have missed | 21:37 |
| chellygel | i think there is another place that you ahve to set it? | 21:38 |
| chellygel | let me look | 21:38 |
| JeffF | I set it to enabled in /etc/barbican-api.conf and listed it in setup.cfg also | 21:38 |
| woodster_ | JeffF, can you reply with the lines you modified in the .conf and .cfg files? | 21:39 |
| JeffF | sure, one sec | 21:39 |
| JeffF | from /etc/barbican-api.conf:: [certificate] | 21:40 |
| JeffF | namespace = barbican.certificate.plugin | 21:40 |
| JeffF | enabled_certificate_plugins = dc | 21:40 |
| JeffF | [certificate_event] | 21:40 |
| JeffF | namespace = barbican.certificate.event.plugin | 21:40 |
| JeffF | enabled_certificate_event_plugins = dc | 21:40 |
| JeffF | from setup.cfg:: | 21:40 |
| JeffF | barbican.certificate.plugin = | 21:40 |
| JeffF | simple_certificate = barbican.plugin.simple_certificate_manager:SimpleCertificatePlugin | 21:40 |
| JeffF | symantec = barbican.plugin.symantec:SymantecCertificatePlugin | 21:40 |
| JeffF | dogtag = barbican.plugin.dogtag:DogtagCAPlugin | 21:40 |
| JeffF | dc = barbican.plugin.dc:DigiCertCertificatePlugin | 21:40 |
| JeffF | boy that formatted terribly, can you read it? | 21:40 |
| chellygel | hmm.. | 21:43 |
| JeffF | I'm guessing this line: enabled_certificate_event_plugins = dc isn't necessary. | 21:44 |
| JeffF | just the one above it, enabled_certificate_plugin probably | 21:45 |
| chellygel | so, im totally guessing... did you try leaving the eventing one set to simple ? | 21:46 |
| chellygel | the simple stuff was added as a default... but i dont remember doing anything w/ the eventing for symantec | 21:47 |
| JeffF | chellygel: yeah, I checked the symantec plugin and there wasn't any implementation of the event base class. I can set that back to simple | 21:48 |
| JeffF | so this is what I mean. Here's the output on barbican startup for the digicert plugin | 21:54 |
| JeffF | DEBUG stevedore.extension [770d00b8-2def-49fb-b612-a173ccadd8b2 ] found extension EntryPoint.parse('dc = barbican.plugin.dc:DigiCertCertificatePlugin') _load_plugins /usr/local/lib/python2.7/dist-packages/stevedore/extension.py:156 | 21:54 |
| JeffF | so barbican knows it's there | 21:54 |
| JeffF | but when I submit a request, here's what I see and I don't see any of my logging in my syslog or console where I'm sending it. | 21:55 |
| JeffF | INFO barbican.plugin.simple_certificate_manager [770d00b8-2def-49fb-b612-a173ccadd8b2 None] Invoking issue_certificate_request() | 21:55 |
| chellygel | hmmf! woodster_ any ideas :S | 22:00 |
| woodster_ | JeffF, is there another enabled_certificate_plugins = simple_certificate sort of line in that /etc/barbican/barbican-api.conf file perhaps? | 22:04 |
| * JeffF looking | 22:05 | |
| woodster_ | JeffF, you are running this from a virtual env with a local barbican git repository, correct? | 22:05 |
| JeffF | correct | 22:05 |
| JeffF | I don't see any other relevant line, well, what to my eyes seems relevant to the plugin anyway. which isn't saying much. but I know there must be some other configuration somewhere because I commented out the plugins from setup.cfg, ran barbican.sh install and then barbican complained about not having the other cert plugins installed | 22:08 |
| JeffF | If there isn't anything obvious that sticks out to you, then I must have just done something weird or missed something. | 22:09 |
| JeffF | well, I don't want to keep you. I bet it's just past 5 your time, so I can keep playing with this and if I get stuck again, I'll hit you up next week sometime, how's that? | 22:10 |
| woodster_ | JeffF, you should only run barbican.sh install once per virtual environment. After that, use barbican.sh start. If you run barbican.sh install again, it will overwrite your /etc/barbican/... configuration files. | 22:11 |
| JeffF | I realized that | 22:11 |
| JeffF | as I noticed it was getting over written | 22:12 |
| woodster_ | So if you did this: barbican.sh install -> modify setup.cfg and /etc/barbican/barbican.conf -> barbican.sh start, then I think you might need to run this again: pip install -e . | 22:13 |
| woodster_ | JeffF, that 'pip install -e .' part is necessary because you modified the setup.cfg file I believe. | 22:13 |
| JeffF | ahhh, ok. I think that makes sense | 22:14 |
| JeffF | I'll try that then and I'll get back to you next week if I get stuck again. | 22:15 |
| JeffF | thanks woodster_ and chellygel !! | 22:15 |
| woodster_ | JeffF, then run barbican.sh start after that. But you do see the 'dc = ...' log coming out of stevedore | 22:15 |
| woodster_ | JeffF, for sure, please let us know if you get blocked or have success! | 22:16 |
| JeffF | I do. I see that barbican knows the plugin is enabled | 22:16 |
| JeffF | woodster_: thanks! Have a good weekend! | 22:16 |
| woodster_ | JeffF, you as well | 22:16 |
| JeffF | thanks! | 22:16 |
| *** gyee has quit IRC | 22:18 | |
| *** rtom has quit IRC | 22:25 | |
| *** ametts has quit IRC | 22:27 | |
| *** JeffF has left #openstack-barbican | 22:27 | |
| *** jorge_munoz has quit IRC | 22:38 | |
| *** ayoung has joined #openstack-barbican | 22:40 | |
| *** openstackgerrit has quit IRC | 22:54 | |
| *** tdink has joined #openstack-barbican | 22:58 | |
| *** tdink has quit IRC | 23:09 | |
| *** kebray has joined #openstack-barbican | 23:23 | |
| *** kebray has quit IRC | 23:34 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!